HOMEVULNERABILITIESCVE-2026-23348
NONE

CVE-2026-23348

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:3.9th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

cxl: Fix race of nvdimm_bus object when creating nvdimm objects

Found issue during running of cxl-translate.sh unit test. Adding a 3s

sleep right before the test seems to make the issue reproduce fairly

consistently. The cxl_translate module has dependency on cxl_acpi and

causes orphaned nvdimm objects to reprobe after cxl_acpi is removed.

The nvdimm_bus object is registered by the cxl_nvb object when

cxl_acpi_probe() is called. With the nvdimm_bus object missing,

__nd_device_register() will trigger NULL pointer dereference when

accessing the dev->parent that points to &nvdimm_bus->dev.

[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c

[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025

[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]

[ 192.899459] RIP: 0010:kobject_get+0xc/0x90

[ 192.924871] Call Trace:

[ 192.925959] <TASK>

[ 192.926976] ? pm_runtime_init+0xb9/0xe0

[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]

[ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]

[ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]

[ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]

[ 192.943349] really_probe+0xde/0x380

This patch also relies on the previous change where

devm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead

of drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.

1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the

driver is probed synchronously when add_device() is called.

2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the

cxl_nvb driver is attached during cxl_acpi_probe().

3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in

devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.

4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()

will exit with -EBUSY.

The removal of cxl_nvdimm devices should prevent any orphaned devices

from probing once the nvdimm_bus is gone.

[ dj: Fixed 0-day reported kdoc issue. ]

[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]

NVD Source

Technical Analysis

CVE-2026-23348 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-23348
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23348 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.